diff --git a/docs/resource/aws_iam_role_policies_exclusive.md b/docs/resource/aws_iam_role_policies_exclusive.md
new file mode 100644
index 00000000000..aafd90014c3
--- /dev/null
+++ b/docs/resource/aws_iam_role_policies_exclusive.md
@@ -0,0 +1,52 @@
+---
+subcategory: "IAM (Identity & Access Management)"
+layout: "aws"
+page_title: "AWS: aws_iam_role_policies_exclusive"
+description: |-
+ Pulumi resource for maintaining exclusive management of inline policies assigned to an AWS IAM (Identity & Access Management) role.
+---
+
+# Resource: aws_iam_role_policies_exclusive
+
+Pulumi resource for maintaining exclusive management of inline policies assigned to an AWS IAM (Identity & Access Management) role.
+
+-> **NOTE:** To reliably detect drift between customer managed inline policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations.
+
+!> This resource takes exclusive ownership over inline policies assigned to a role. This includes removal of inline policies which are not explicitly configured. To prevent persistent drift, ensure any `aws_iam_role_policy` resources managed alongside this resource are included in the `policy_names` argument.
+
+~> Destruction of this resource means Pulumi will no longer manage reconciliation of the configured inline policy assignments. It __will not__ delete the configured policies from the role.
+
+## Example Usage
+
+### Basic Usage
+
+```terraform
+resource "aws_iam_role_policies_exclusive" "example" {
+ role_name = aws_iam_role.example.name
+ policy_names = [aws_iam_role_policy.example.name]
+}
+```
+
+### Disallow Inline Policies
+
+To automatically remove any configured inline policies, set the `policy_names` argument to an empty list.
+
+~> This will not __prevent__ inline policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing inline policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run.
+
+```terraform
+resource "aws_iam_role_policies_exclusive" "example" {
+ role_name = aws_iam_role.example.name
+ policy_names = []
+}
+```
+
+## Argument Reference
+
+The following arguments are required:
+
+* `role_name` - (Required) IAM role name.
+* `policy_names` - (Required) A list of inline policy names to be assigned to the role. Policies attached to this role but not configured in this argument will be removed.
+
+## Attribute Reference
+
+This resource exports no additional attributes.
diff --git a/docs/resource/aws_iam_role_policy_attachments_exclusive.md b/docs/resource/aws_iam_role_policy_attachments_exclusive.md
new file mode 100644
index 00000000000..596755543cc
--- /dev/null
+++ b/docs/resource/aws_iam_role_policy_attachments_exclusive.md
@@ -0,0 +1,51 @@
+---
+subcategory: "IAM (Identity & Access Management)"
+layout: "aws"
+description: |-
+ Pulumi resource for maintaining exclusive management of customer managed policies assigned to an AWS IAM (Identity & Access Management) role.
+---
+
+# Resource: aws.iam.RolePolicyAttachmentsExclusive
+
+Pulumi resource for maintaining exclusive management of customer managed policies assigned to an AWS IAM (Identity & Access Management) role.
+
+-> **NOTE:** To reliably detect drift between customer managed policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations.
+
+!> This resource takes exclusive ownership over customer managed policies attached to a role. This includes removal of customer managed policies which are not explicitly configured. To prevent persistent drift, ensure any `aws_iam_role_policy_attachment` resources managed alongside this resource are included in the `policy_arns` argument.
+
+~> Destruction of this resource means Pulumi will no longer manage reconciliation of the configured policy attachments. It __will not__ detach the configured policies from the role.
+
+## Example Usage
+
+### Basic Usage
+
+```terraform
+resource "aws_iam_role_policy_attachments_exclusive" "example" {
+ role_name = aws_iam_role.example.name
+ policy_arns = [aws_iam_policy.example.arn]
+}
+```
+
+### Disallow Customer Managed Policies
+
+To automatically remove any configured customer managed policies, set the `policy_arns` argument to an empty list.
+
+~> This will not __prevent__ customer managed policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing customer managed policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run.
+
+```terraform
+resource "aws_iam_role_policy_attachments_exclusive" "example" {
+ role_name = aws_iam_role.example.name
+ policy_arns = []
+}
+```
+
+## Argument Reference
+
+The following arguments are required:
+
+* `role_name` - (Required) IAM role name.
+* `policy_arns` - (Required) A list of customer managed policy ARNs to be attached to the role. Policies attached to this role but not configured in this argument will be removed.
+
+## Attribute Reference
+
+This resource exports no additional attributes.
diff --git a/provider/cmd/pulumi-resource-aws/schema-minimal.json b/provider/cmd/pulumi-resource-aws/schema-minimal.json
index 320c90c5d31..d144a51bf9f 100644
--- a/provider/cmd/pulumi-resource-aws/schema-minimal.json
+++ b/provider/cmd/pulumi-resource-aws/schema-minimal.json
@@ -278809,7 +278809,7 @@
}
},
"aws:iam/rolePolicyAttachmentsExclusive:RolePolicyAttachmentsExclusive": {
- "description": "\n\n## Import\n\nUsing `pulumi import`, import exclusive management of customer managed policy assignments using the `role_name`. For example:\n\n```sh\n$ pulumi import aws:iam/rolePolicyAttachmentsExclusive:RolePolicyAttachmentsExclusive example MyRole\n```\n",
+ "description": "Pulumi resource for maintaining exclusive management of customer managed policies assigned to an AWS IAM (Identity \u0026 Access Management) role.\n\n\u003e **NOTE:** To reliably detect drift between customer managed policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations.\n\n!\u003e This resource takes exclusive ownership over customer managed policies attached to a role. This includes removal of customer managed policies which are not explicitly configured. To prevent persistent drift, ensure any `aws.iam.RolePolicyAttachment` resources managed alongside this resource are included in the `policy_arns` argument.\n\n\u003e Destruction of this resource means Pulumi will no longer manage reconciliation of the configured policy attachments. It __will not__ detach the configured policies from the role.\n\n## Example Usage\n\n### Basic Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst example = new aws.iam.RolePolicyAttachmentsExclusive(\"example\", {\n roleName: exampleAwsIamRole.name,\n policyArns: [exampleAwsIamPolicy.arn],\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nexample = aws.iam.RolePolicyAttachmentsExclusive(\"example\",\n role_name=example_aws_iam_role[\"name\"],\n policy_arns=[example_aws_iam_policy[\"arn\"]])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var example = new Aws.Iam.RolePolicyAttachmentsExclusive(\"example\", new()\n {\n RoleName = exampleAwsIamRole.Name,\n PolicyArns = new[]\n {\n exampleAwsIamPolicy.Arn,\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := iam.NewRolePolicyAttachmentsExclusive(ctx, \"example\", \u0026iam.RolePolicyAttachmentsExclusiveArgs{\n\t\t\tRoleName: pulumi.Any(exampleAwsIamRole.Name),\n\t\t\tPolicyArns: pulumi.StringArray{\n\t\t\t\texampleAwsIamPolicy.Arn,\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.iam.RolePolicyAttachmentsExclusive;\nimport com.pulumi.aws.iam.RolePolicyAttachmentsExclusiveArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new RolePolicyAttachmentsExclusive(\"example\", RolePolicyAttachmentsExclusiveArgs.builder()\n .roleName(exampleAwsIamRole.name())\n .policyArns(exampleAwsIamPolicy.arn())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: aws:iam:RolePolicyAttachmentsExclusive\n properties:\n roleName: ${exampleAwsIamRole.name}\n policyArns:\n - ${exampleAwsIamPolicy.arn}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Disallow Customer Managed Policies\n\nTo automatically remove any configured customer managed policies, set the `policy_arns` argument to an empty list.\n\n\u003e This will not __prevent__ customer managed policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing customer managed policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run.\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst example = new aws.iam.RolePolicyAttachmentsExclusive(\"example\", {\n roleName: exampleAwsIamRole.name,\n policyArns: [],\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nexample = aws.iam.RolePolicyAttachmentsExclusive(\"example\",\n role_name=example_aws_iam_role[\"name\"],\n policy_arns=[])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var example = new Aws.Iam.RolePolicyAttachmentsExclusive(\"example\", new()\n {\n RoleName = exampleAwsIamRole.Name,\n PolicyArns = new[] {},\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := iam.NewRolePolicyAttachmentsExclusive(ctx, \"example\", \u0026iam.RolePolicyAttachmentsExclusiveArgs{\n\t\t\tRoleName: pulumi.Any(exampleAwsIamRole.Name),\n\t\t\tPolicyArns: pulumi.StringArray{},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.iam.RolePolicyAttachmentsExclusive;\nimport com.pulumi.aws.iam.RolePolicyAttachmentsExclusiveArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new RolePolicyAttachmentsExclusive(\"example\", RolePolicyAttachmentsExclusiveArgs.builder()\n .roleName(exampleAwsIamRole.name())\n .policyArns()\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: aws:iam:RolePolicyAttachmentsExclusive\n properties:\n roleName: ${exampleAwsIamRole.name}\n policyArns: []\n```\n\u003c!--End PulumiCodeChooser --\u003e\n",
"properties": {
"policyArns": {
"type": "array",
diff --git a/provider/cmd/pulumi-resource-aws/schema.json b/provider/cmd/pulumi-resource-aws/schema.json
index 2c391b00048..428c671a97e 100644
--- a/provider/cmd/pulumi-resource-aws/schema.json
+++ b/provider/cmd/pulumi-resource-aws/schema.json
@@ -279355,7 +279355,7 @@
}
},
"aws:iam/rolePoliciesExclusive:RolePoliciesExclusive": {
- "description": "\n\n## Import\n\nUsing `pulumi import`, import exclusive management of inline policy assignments using the `role_name`. For example:\n\n```sh\n$ pulumi import aws:iam/rolePoliciesExclusive:RolePoliciesExclusive example MyRole\n```\n",
+ "description": "Pulumi resource for maintaining exclusive management of inline policies assigned to an AWS IAM (Identity \u0026 Access Management) role.\n\n\u003e **NOTE:** To reliably detect drift between customer managed inline policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations.\n\n!\u003e This resource takes exclusive ownership over inline policies assigned to a role. This includes removal of inline policies which are not explicitly configured. To prevent persistent drift, ensure any `aws.iam.RolePolicy` resources managed alongside this resource are included in the `policy_names` argument.\n\n\u003e Destruction of this resource means Pulumi will no longer manage reconciliation of the configured inline policy assignments. It __will not__ delete the configured policies from the role.\n\n## Example Usage\n\n### Basic Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst example = new aws.iam.RolePoliciesExclusive(\"example\", {\n roleName: exampleAwsIamRole.name,\n policyNames: [exampleAwsIamRolePolicy.name],\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nexample = aws.iam.RolePoliciesExclusive(\"example\",\n role_name=example_aws_iam_role[\"name\"],\n policy_names=[example_aws_iam_role_policy[\"name\"]])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var example = new Aws.Iam.RolePoliciesExclusive(\"example\", new()\n {\n RoleName = exampleAwsIamRole.Name,\n PolicyNames = new[]\n {\n exampleAwsIamRolePolicy.Name,\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := iam.NewRolePoliciesExclusive(ctx, \"example\", \u0026iam.RolePoliciesExclusiveArgs{\n\t\t\tRoleName: pulumi.Any(exampleAwsIamRole.Name),\n\t\t\tPolicyNames: pulumi.StringArray{\n\t\t\t\texampleAwsIamRolePolicy.Name,\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.iam.RolePoliciesExclusive;\nimport com.pulumi.aws.iam.RolePoliciesExclusiveArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new RolePoliciesExclusive(\"example\", RolePoliciesExclusiveArgs.builder()\n .roleName(exampleAwsIamRole.name())\n .policyNames(exampleAwsIamRolePolicy.name())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: aws:iam:RolePoliciesExclusive\n properties:\n roleName: ${exampleAwsIamRole.name}\n policyNames:\n - ${exampleAwsIamRolePolicy.name}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Disallow Inline Policies\n\nTo automatically remove any configured inline policies, set the `policy_names` argument to an empty list.\n\n\u003e This will not __prevent__ inline policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing inline policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run.\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst example = new aws.iam.RolePoliciesExclusive(\"example\", {\n roleName: exampleAwsIamRole.name,\n policyNames: [],\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nexample = aws.iam.RolePoliciesExclusive(\"example\",\n role_name=example_aws_iam_role[\"name\"],\n policy_names=[])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var example = new Aws.Iam.RolePoliciesExclusive(\"example\", new()\n {\n RoleName = exampleAwsIamRole.Name,\n PolicyNames = new[] {},\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := iam.NewRolePoliciesExclusive(ctx, \"example\", \u0026iam.RolePoliciesExclusiveArgs{\n\t\t\tRoleName: pulumi.Any(exampleAwsIamRole.Name),\n\t\t\tPolicyNames: pulumi.StringArray{},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.iam.RolePoliciesExclusive;\nimport com.pulumi.aws.iam.RolePoliciesExclusiveArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new RolePoliciesExclusive(\"example\", RolePoliciesExclusiveArgs.builder()\n .roleName(exampleAwsIamRole.name())\n .policyNames()\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: aws:iam:RolePoliciesExclusive\n properties:\n roleName: ${exampleAwsIamRole.name}\n policyNames: []\n```\n\u003c!--End PulumiCodeChooser --\u003e\n",
"properties": {
"policyNames": {
"type": "array",
@@ -279592,7 +279592,7 @@
}
},
"aws:iam/rolePolicyAttachmentsExclusive:RolePolicyAttachmentsExclusive": {
- "description": "\n\n## Import\n\nUsing `pulumi import`, import exclusive management of customer managed policy assignments using the `role_name`. For example:\n\n```sh\n$ pulumi import aws:iam/rolePolicyAttachmentsExclusive:RolePolicyAttachmentsExclusive example MyRole\n```\n",
+ "description": "Pulumi resource for maintaining exclusive management of customer managed policies assigned to an AWS IAM (Identity \u0026 Access Management) role.\n\n\u003e **NOTE:** To reliably detect drift between customer managed policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations.\n\n!\u003e This resource takes exclusive ownership over customer managed policies attached to a role. This includes removal of customer managed policies which are not explicitly configured. To prevent persistent drift, ensure any `aws.iam.RolePolicyAttachment` resources managed alongside this resource are included in the `policy_arns` argument.\n\n\u003e Destruction of this resource means Pulumi will no longer manage reconciliation of the configured policy attachments. It __will not__ detach the configured policies from the role.\n\n## Example Usage\n\n### Basic Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst example = new aws.iam.RolePolicyAttachmentsExclusive(\"example\", {\n roleName: exampleAwsIamRole.name,\n policyArns: [exampleAwsIamPolicy.arn],\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nexample = aws.iam.RolePolicyAttachmentsExclusive(\"example\",\n role_name=example_aws_iam_role[\"name\"],\n policy_arns=[example_aws_iam_policy[\"arn\"]])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var example = new Aws.Iam.RolePolicyAttachmentsExclusive(\"example\", new()\n {\n RoleName = exampleAwsIamRole.Name,\n PolicyArns = new[]\n {\n exampleAwsIamPolicy.Arn,\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := iam.NewRolePolicyAttachmentsExclusive(ctx, \"example\", \u0026iam.RolePolicyAttachmentsExclusiveArgs{\n\t\t\tRoleName: pulumi.Any(exampleAwsIamRole.Name),\n\t\t\tPolicyArns: pulumi.StringArray{\n\t\t\t\texampleAwsIamPolicy.Arn,\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.iam.RolePolicyAttachmentsExclusive;\nimport com.pulumi.aws.iam.RolePolicyAttachmentsExclusiveArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new RolePolicyAttachmentsExclusive(\"example\", RolePolicyAttachmentsExclusiveArgs.builder()\n .roleName(exampleAwsIamRole.name())\n .policyArns(exampleAwsIamPolicy.arn())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: aws:iam:RolePolicyAttachmentsExclusive\n properties:\n roleName: ${exampleAwsIamRole.name}\n policyArns:\n - ${exampleAwsIamPolicy.arn}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Disallow Customer Managed Policies\n\nTo automatically remove any configured customer managed policies, set the `policy_arns` argument to an empty list.\n\n\u003e This will not __prevent__ customer managed policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing customer managed policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run.\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst example = new aws.iam.RolePolicyAttachmentsExclusive(\"example\", {\n roleName: exampleAwsIamRole.name,\n policyArns: [],\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nexample = aws.iam.RolePolicyAttachmentsExclusive(\"example\",\n role_name=example_aws_iam_role[\"name\"],\n policy_arns=[])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var example = new Aws.Iam.RolePolicyAttachmentsExclusive(\"example\", new()\n {\n RoleName = exampleAwsIamRole.Name,\n PolicyArns = new[] {},\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := iam.NewRolePolicyAttachmentsExclusive(ctx, \"example\", \u0026iam.RolePolicyAttachmentsExclusiveArgs{\n\t\t\tRoleName: pulumi.Any(exampleAwsIamRole.Name),\n\t\t\tPolicyArns: pulumi.StringArray{},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.iam.RolePolicyAttachmentsExclusive;\nimport com.pulumi.aws.iam.RolePolicyAttachmentsExclusiveArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new RolePolicyAttachmentsExclusive(\"example\", RolePolicyAttachmentsExclusiveArgs.builder()\n .roleName(exampleAwsIamRole.name())\n .policyArns()\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: aws:iam:RolePolicyAttachmentsExclusive\n properties:\n roleName: ${exampleAwsIamRole.name}\n policyArns: []\n```\n\u003c!--End PulumiCodeChooser --\u003e\n",
"properties": {
"policyArns": {
"type": "array",
diff --git a/provider/resources.go b/provider/resources.go
index c33d30afc98..9a770134410 100644
--- a/provider/resources.go
+++ b/provider/resources.go
@@ -2574,6 +2574,18 @@ compatibility shim in favor of the new "name" field.`)
// deletes the same attachment we just created, since it is structurally equivalent!
DeleteBeforeReplace: true,
},
+ "aws_iam_role_policies_exclusive": {
+ Tok: awsResource(iamMod, "RolePoliciesExclusive"),
+ Docs: &info.Doc{
+ Markdown: maybeReadFile("docs/resource/aws_iam_role_policies_exclusive.md"),
+ },
+ },
+ "aws_iam_role_policy_attachments_exclusive": {
+ Tok: awsResource(iamMod, "RolePolicyAttachmentsExclusive"),
+ Docs: &info.Doc{
+ Markdown: maybeReadFile("docs/resource/aws_iam_role_policy_attachments_exclusive.md"),
+ },
+ },
"aws_iam_role_policy": {
Tok: awsResource(iamMod, "RolePolicy"),
Fields: map[string]*tfbridge.SchemaInfo{
diff --git a/sdk/dotnet/Iam/RolePoliciesExclusive.cs b/sdk/dotnet/Iam/RolePoliciesExclusive.cs
index 5be1affb1c5..3b12185ffc2 100644
--- a/sdk/dotnet/Iam/RolePoliciesExclusive.cs
+++ b/sdk/dotnet/Iam/RolePoliciesExclusive.cs
@@ -10,12 +10,59 @@
namespace Pulumi.Aws.Iam
{
///
+ * {@code + * package generated_program; + * + * import com.pulumi.Context; + * import com.pulumi.Pulumi; + * import com.pulumi.core.Output; + * import com.pulumi.aws.iam.RolePoliciesExclusive; + * import com.pulumi.aws.iam.RolePoliciesExclusiveArgs; + * import java.util.List; + * import java.util.ArrayList; + * import java.util.Map; + * import java.io.File; + * import java.nio.file.Files; + * import java.nio.file.Paths; + * + * public class App { + * public static void main(String[] args) { + * Pulumi.run(App::stack); + * } + * + * public static void stack(Context ctx) { + * var example = new RolePoliciesExclusive("example", RolePoliciesExclusiveArgs.builder() + * .roleName(exampleAwsIamRole.name()) + * .policyNames(exampleAwsIamRolePolicy.name()) + * .build()); + * + * } + * } + * } + *+ * <!--End PulumiCodeChooser --> + * + * ### Disallow Inline Policies + * + * To automatically remove any configured inline policies, set the `policy_names` argument to an empty list. + * + * > This will not __prevent__ inline policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing inline policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run. + * + * <!--Start PulumiCodeChooser --> + *
+ * {@code + * package generated_program; + * + * import com.pulumi.Context; + * import com.pulumi.Pulumi; + * import com.pulumi.core.Output; + * import com.pulumi.aws.iam.RolePoliciesExclusive; + * import com.pulumi.aws.iam.RolePoliciesExclusiveArgs; + * import java.util.List; + * import java.util.ArrayList; + * import java.util.Map; + * import java.io.File; + * import java.nio.file.Files; + * import java.nio.file.Paths; + * + * public class App { + * public static void main(String[] args) { + * Pulumi.run(App::stack); + * } + * + * public static void stack(Context ctx) { + * var example = new RolePoliciesExclusive("example", RolePoliciesExclusiveArgs.builder() + * .roleName(exampleAwsIamRole.name()) + * .policyNames() + * .build()); + * + * } + * } + * } + *+ * <!--End PulumiCodeChooser --> * */ @ResourceType(type="aws:iam/rolePoliciesExclusive:RolePoliciesExclusive") diff --git a/sdk/java/src/main/java/com/pulumi/aws/iam/RolePolicyAttachmentsExclusive.java b/sdk/java/src/main/java/com/pulumi/aws/iam/RolePolicyAttachmentsExclusive.java index ac18709267b..2283544c039 100644 --- a/sdk/java/src/main/java/com/pulumi/aws/iam/RolePolicyAttachmentsExclusive.java +++ b/sdk/java/src/main/java/com/pulumi/aws/iam/RolePolicyAttachmentsExclusive.java @@ -15,13 +15,91 @@ import javax.annotation.Nullable; /** - * ## Import + * Pulumi resource for maintaining exclusive management of customer managed policies assigned to an AWS IAM (Identity & Access Management) role. * - * Using `pulumi import`, import exclusive management of customer managed policy assignments using the `role_name`. For example: + * > **NOTE:** To reliably detect drift between customer managed policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations. * - * ```sh - * $ pulumi import aws:iam/rolePolicyAttachmentsExclusive:RolePolicyAttachmentsExclusive example MyRole - * ``` + * !> This resource takes exclusive ownership over customer managed policies attached to a role. This includes removal of customer managed policies which are not explicitly configured. To prevent persistent drift, ensure any `aws.iam.RolePolicyAttachment` resources managed alongside this resource are included in the `policy_arns` argument. + * + * > Destruction of this resource means Pulumi will no longer manage reconciliation of the configured policy attachments. It __will not__ detach the configured policies from the role. + * + * ## Example Usage + * + * ### Basic Usage + * + * <!--Start PulumiCodeChooser --> + *
+ * {@code + * package generated_program; + * + * import com.pulumi.Context; + * import com.pulumi.Pulumi; + * import com.pulumi.core.Output; + * import com.pulumi.aws.iam.RolePolicyAttachmentsExclusive; + * import com.pulumi.aws.iam.RolePolicyAttachmentsExclusiveArgs; + * import java.util.List; + * import java.util.ArrayList; + * import java.util.Map; + * import java.io.File; + * import java.nio.file.Files; + * import java.nio.file.Paths; + * + * public class App { + * public static void main(String[] args) { + * Pulumi.run(App::stack); + * } + * + * public static void stack(Context ctx) { + * var example = new RolePolicyAttachmentsExclusive("example", RolePolicyAttachmentsExclusiveArgs.builder() + * .roleName(exampleAwsIamRole.name()) + * .policyArns(exampleAwsIamPolicy.arn()) + * .build()); + * + * } + * } + * } + *+ * <!--End PulumiCodeChooser --> + * + * ### Disallow Customer Managed Policies + * + * To automatically remove any configured customer managed policies, set the `policy_arns` argument to an empty list. + * + * > This will not __prevent__ customer managed policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing customer managed policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run. + * + * <!--Start PulumiCodeChooser --> + *
+ * {@code + * package generated_program; + * + * import com.pulumi.Context; + * import com.pulumi.Pulumi; + * import com.pulumi.core.Output; + * import com.pulumi.aws.iam.RolePolicyAttachmentsExclusive; + * import com.pulumi.aws.iam.RolePolicyAttachmentsExclusiveArgs; + * import java.util.List; + * import java.util.ArrayList; + * import java.util.Map; + * import java.io.File; + * import java.nio.file.Files; + * import java.nio.file.Paths; + * + * public class App { + * public static void main(String[] args) { + * Pulumi.run(App::stack); + * } + * + * public static void stack(Context ctx) { + * var example = new RolePolicyAttachmentsExclusive("example", RolePolicyAttachmentsExclusiveArgs.builder() + * .roleName(exampleAwsIamRole.name()) + * .policyArns() + * .build()); + * + * } + * } + * } + *+ * <!--End PulumiCodeChooser --> * */ @ResourceType(type="aws:iam/rolePolicyAttachmentsExclusive:RolePolicyAttachmentsExclusive") diff --git a/sdk/nodejs/iam/rolePoliciesExclusive.ts b/sdk/nodejs/iam/rolePoliciesExclusive.ts index 116224c5e22..09807998629 100644 --- a/sdk/nodejs/iam/rolePoliciesExclusive.ts +++ b/sdk/nodejs/iam/rolePoliciesExclusive.ts @@ -5,12 +5,42 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "../utilities"; /** - * ## Import + * Pulumi resource for maintaining exclusive management of inline policies assigned to an AWS IAM (Identity & Access Management) role. * - * Using `pulumi import`, import exclusive management of inline policy assignments using the `role_name`. For example: + * > **NOTE:** To reliably detect drift between customer managed inline policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations. * - * ```sh - * $ pulumi import aws:iam/rolePoliciesExclusive:RolePoliciesExclusive example MyRole + * !> This resource takes exclusive ownership over inline policies assigned to a role. This includes removal of inline policies which are not explicitly configured. To prevent persistent drift, ensure any `aws.iam.RolePolicy` resources managed alongside this resource are included in the `policyNames` argument. + * + * > Destruction of this resource means Pulumi will no longer manage reconciliation of the configured inline policy assignments. It __will not__ delete the configured policies from the role. + * + * ## Example Usage + * + * ### Basic Usage + * + * ```typescript + * import * as pulumi from "@pulumi/pulumi"; + * import * as aws from "@pulumi/aws"; + * + * const example = new aws.iam.RolePoliciesExclusive("example", { + * roleName: exampleAwsIamRole.name, + * policyNames: [exampleAwsIamRolePolicy.name], + * }); + * ``` + * + * ### Disallow Inline Policies + * + * To automatically remove any configured inline policies, set the `policyNames` argument to an empty list. + * + * > This will not __prevent__ inline policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing inline policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run. + * + * ```typescript + * import * as pulumi from "@pulumi/pulumi"; + * import * as aws from "@pulumi/aws"; + * + * const example = new aws.iam.RolePoliciesExclusive("example", { + * roleName: exampleAwsIamRole.name, + * policyNames: [], + * }); * ``` */ export class RolePoliciesExclusive extends pulumi.CustomResource { diff --git a/sdk/nodejs/iam/rolePolicyAttachmentsExclusive.ts b/sdk/nodejs/iam/rolePolicyAttachmentsExclusive.ts index 5fe6b634f2e..6cc2e5bdabf 100644 --- a/sdk/nodejs/iam/rolePolicyAttachmentsExclusive.ts +++ b/sdk/nodejs/iam/rolePolicyAttachmentsExclusive.ts @@ -5,12 +5,42 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "../utilities"; /** - * ## Import + * Pulumi resource for maintaining exclusive management of customer managed policies assigned to an AWS IAM (Identity & Access Management) role. * - * Using `pulumi import`, import exclusive management of customer managed policy assignments using the `role_name`. For example: + * > **NOTE:** To reliably detect drift between customer managed policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations. * - * ```sh - * $ pulumi import aws:iam/rolePolicyAttachmentsExclusive:RolePolicyAttachmentsExclusive example MyRole + * !> This resource takes exclusive ownership over customer managed policies attached to a role. This includes removal of customer managed policies which are not explicitly configured. To prevent persistent drift, ensure any `aws.iam.RolePolicyAttachment` resources managed alongside this resource are included in the `policyArns` argument. + * + * > Destruction of this resource means Pulumi will no longer manage reconciliation of the configured policy attachments. It __will not__ detach the configured policies from the role. + * + * ## Example Usage + * + * ### Basic Usage + * + * ```typescript + * import * as pulumi from "@pulumi/pulumi"; + * import * as aws from "@pulumi/aws"; + * + * const example = new aws.iam.RolePolicyAttachmentsExclusive("example", { + * roleName: exampleAwsIamRole.name, + * policyArns: [exampleAwsIamPolicy.arn], + * }); + * ``` + * + * ### Disallow Customer Managed Policies + * + * To automatically remove any configured customer managed policies, set the `policyArns` argument to an empty list. + * + * > This will not __prevent__ customer managed policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing customer managed policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run. + * + * ```typescript + * import * as pulumi from "@pulumi/pulumi"; + * import * as aws from "@pulumi/aws"; + * + * const example = new aws.iam.RolePolicyAttachmentsExclusive("example", { + * roleName: exampleAwsIamRole.name, + * policyArns: [], + * }); * ``` */ export class RolePolicyAttachmentsExclusive extends pulumi.CustomResource { diff --git a/sdk/python/pulumi_aws/iam/role_policies_exclusive.py b/sdk/python/pulumi_aws/iam/role_policies_exclusive.py index 5290629100b..3c64e8ab174 100644 --- a/sdk/python/pulumi_aws/iam/role_policies_exclusive.py +++ b/sdk/python/pulumi_aws/iam/role_policies_exclusive.py @@ -103,12 +103,40 @@ def __init__(__self__, role_name: Optional[pulumi.Input[str]] = None, __props__=None): """ - ## Import + Pulumi resource for maintaining exclusive management of inline policies assigned to an AWS IAM (Identity & Access Management) role. - Using `pulumi import`, import exclusive management of inline policy assignments using the `role_name`. For example: + > **NOTE:** To reliably detect drift between customer managed inline policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations. - ```sh - $ pulumi import aws:iam/rolePoliciesExclusive:RolePoliciesExclusive example MyRole + !> This resource takes exclusive ownership over inline policies assigned to a role. This includes removal of inline policies which are not explicitly configured. To prevent persistent drift, ensure any `iam.RolePolicy` resources managed alongside this resource are included in the `policy_names` argument. + + > Destruction of this resource means Pulumi will no longer manage reconciliation of the configured inline policy assignments. It __will not__ delete the configured policies from the role. + + ## Example Usage + + ### Basic Usage + + ```python + import pulumi + import pulumi_aws as aws + + example = aws.iam.RolePoliciesExclusive("example", + role_name=example_aws_iam_role["name"], + policy_names=[example_aws_iam_role_policy["name"]]) + ``` + + ### Disallow Inline Policies + + To automatically remove any configured inline policies, set the `policy_names` argument to an empty list. + + > This will not __prevent__ inline policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing inline policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run. + + ```python + import pulumi + import pulumi_aws as aws + + example = aws.iam.RolePoliciesExclusive("example", + role_name=example_aws_iam_role["name"], + policy_names=[]) ``` :param str resource_name: The name of the resource. @@ -123,12 +151,40 @@ def __init__(__self__, args: RolePoliciesExclusiveArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - ## Import + Pulumi resource for maintaining exclusive management of inline policies assigned to an AWS IAM (Identity & Access Management) role. + + > **NOTE:** To reliably detect drift between customer managed inline policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations. + + !> This resource takes exclusive ownership over inline policies assigned to a role. This includes removal of inline policies which are not explicitly configured. To prevent persistent drift, ensure any `iam.RolePolicy` resources managed alongside this resource are included in the `policy_names` argument. + + > Destruction of this resource means Pulumi will no longer manage reconciliation of the configured inline policy assignments. It __will not__ delete the configured policies from the role. + + ## Example Usage + + ### Basic Usage + + ```python + import pulumi + import pulumi_aws as aws + + example = aws.iam.RolePoliciesExclusive("example", + role_name=example_aws_iam_role["name"], + policy_names=[example_aws_iam_role_policy["name"]]) + ``` + + ### Disallow Inline Policies + + To automatically remove any configured inline policies, set the `policy_names` argument to an empty list. + + > This will not __prevent__ inline policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing inline policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run. - Using `pulumi import`, import exclusive management of inline policy assignments using the `role_name`. For example: + ```python + import pulumi + import pulumi_aws as aws - ```sh - $ pulumi import aws:iam/rolePoliciesExclusive:RolePoliciesExclusive example MyRole + example = aws.iam.RolePoliciesExclusive("example", + role_name=example_aws_iam_role["name"], + policy_names=[]) ``` :param str resource_name: The name of the resource. diff --git a/sdk/python/pulumi_aws/iam/role_policy_attachments_exclusive.py b/sdk/python/pulumi_aws/iam/role_policy_attachments_exclusive.py index dd7ded86b93..fd3d0d641b5 100644 --- a/sdk/python/pulumi_aws/iam/role_policy_attachments_exclusive.py +++ b/sdk/python/pulumi_aws/iam/role_policy_attachments_exclusive.py @@ -103,12 +103,40 @@ def __init__(__self__, role_name: Optional[pulumi.Input[str]] = None, __props__=None): """ - ## Import + Pulumi resource for maintaining exclusive management of customer managed policies assigned to an AWS IAM (Identity & Access Management) role. - Using `pulumi import`, import exclusive management of customer managed policy assignments using the `role_name`. For example: + > **NOTE:** To reliably detect drift between customer managed policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations. - ```sh - $ pulumi import aws:iam/rolePolicyAttachmentsExclusive:RolePolicyAttachmentsExclusive example MyRole + !> This resource takes exclusive ownership over customer managed policies attached to a role. This includes removal of customer managed policies which are not explicitly configured. To prevent persistent drift, ensure any `iam.RolePolicyAttachment` resources managed alongside this resource are included in the `policy_arns` argument. + + > Destruction of this resource means Pulumi will no longer manage reconciliation of the configured policy attachments. It __will not__ detach the configured policies from the role. + + ## Example Usage + + ### Basic Usage + + ```python + import pulumi + import pulumi_aws as aws + + example = aws.iam.RolePolicyAttachmentsExclusive("example", + role_name=example_aws_iam_role["name"], + policy_arns=[example_aws_iam_policy["arn"]]) + ``` + + ### Disallow Customer Managed Policies + + To automatically remove any configured customer managed policies, set the `policy_arns` argument to an empty list. + + > This will not __prevent__ customer managed policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing customer managed policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run. + + ```python + import pulumi + import pulumi_aws as aws + + example = aws.iam.RolePolicyAttachmentsExclusive("example", + role_name=example_aws_iam_role["name"], + policy_arns=[]) ``` :param str resource_name: The name of the resource. @@ -123,12 +151,40 @@ def __init__(__self__, args: RolePolicyAttachmentsExclusiveArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - ## Import + Pulumi resource for maintaining exclusive management of customer managed policies assigned to an AWS IAM (Identity & Access Management) role. + + > **NOTE:** To reliably detect drift between customer managed policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations. + + !> This resource takes exclusive ownership over customer managed policies attached to a role. This includes removal of customer managed policies which are not explicitly configured. To prevent persistent drift, ensure any `iam.RolePolicyAttachment` resources managed alongside this resource are included in the `policy_arns` argument. + + > Destruction of this resource means Pulumi will no longer manage reconciliation of the configured policy attachments. It __will not__ detach the configured policies from the role. + + ## Example Usage + + ### Basic Usage + + ```python + import pulumi + import pulumi_aws as aws + + example = aws.iam.RolePolicyAttachmentsExclusive("example", + role_name=example_aws_iam_role["name"], + policy_arns=[example_aws_iam_policy["arn"]]) + ``` + + ### Disallow Customer Managed Policies + + To automatically remove any configured customer managed policies, set the `policy_arns` argument to an empty list. + + > This will not __prevent__ customer managed policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing customer managed policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run. - Using `pulumi import`, import exclusive management of customer managed policy assignments using the `role_name`. For example: + ```python + import pulumi + import pulumi_aws as aws - ```sh - $ pulumi import aws:iam/rolePolicyAttachmentsExclusive:RolePolicyAttachmentsExclusive example MyRole + example = aws.iam.RolePolicyAttachmentsExclusive("example", + role_name=example_aws_iam_role["name"], + policy_arns=[]) ``` :param str resource_name: The name of the resource.